PatchSiren cyber security CVE debrief
CVE-2026-55433 coder CVE debrief
The Coder devcontainer recreate endpoint had an authorization issue. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, it relied on route middleware that checked only `ActionRead` on the workspace. Unlike the sibling delete endpoint, it performed no `ActionUpdate` check before triggering the destructive rebuild. This issue required an existing low-privilege role with access to the target workspace for exploitation. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed, similar to the delete endpoint. No known workarounds are available.
- Vendor
- coder
- Product
- Unknown
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of Coder versions before 2.29.7, 2.32.7, 2.33.8, and 2.34.2 who have low-privilege roles with access to target workspaces should be aware of this vulnerability. Security teams and administrators responsible for Coder installations should prioritize updating to the patched versions.
Technical summary
The devcontainer recreate endpoint in Coder had a security flaw due to insufficient authorization checks. Specifically, it only verified `ActionRead` on the workspace and lacked the `ActionUpdate` check that was present in the delete endpoint. This oversight allowed low-privilege users with workspace access to potentially exploit the endpoint for destructive rebuilds. The vulnerability was addressed by adding the necessary `ActionUpdate` authorization check in the affected versions.
Defensive priority
Medium priority should be given to updating Coder installations to versions 2.29.7, 2.32.7, 2.33.8, or 2.34.2, as applicable. Security teams should review their current configurations and user roles to ensure that low-privilege users do not have unintended access to workspaces.
Recommended defensive actions
- Update Coder to version 2.29.7, 2.32.7, 2.33.8, or 2.34.2, as applicable.
- Review and adjust user roles and permissions to ensure low-privilege users do not have access to sensitive workspaces.
- Monitor for any suspicious activity related to the devcontainer recreate endpoint.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. Additional details can be found in the referenced GitHub pull request and release notes. The devcontainer recreate endpoint in Coder had a security flaw due to insufficient authorization checks. Specifically, it only verified `ActionRead` on the workspace and lacked the `ActionUpdate` check that was present in the delete endpoint. This oversight allowed low-privilege users with workspace access to potentially exploit the endpoint for destructive rebuilds. Users should verify their current configurations and user roles to ensure that low-privilege users do not have unintended access to workspaces. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 adds an explicit `ActionUpdate` authorization check before the agent is dialed, similar to the delete endpoint.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T01:16:27.760Z and has not been modified since then.